Fix Microsoft Entra ID content pack to support array of ip (#41973)

akshotiamit-pa · web-flow · commit 94191f0cfe33 · 2025-11-20T10:26:42.000+02:00
* update xif

* update xif

* update rn
diff --git a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif
@@ -321,15 +321,17 @@ alter
   check_initiatedBy_ipAddress_v4 = if(get_initiatedBy_ipAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", get_initiatedBy_ipAddress),
   check_initiatedBy_ipAddress_v6 = if(get_initiatedBy_ipAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_initiatedBy_ipAddress)
 | alter
-  xdm.source.host.ipv4_addresses = arraycreate(check_parsed_fields_ipaddr_v4, check_initiatedBy_ipAddress_v4),
+  source_ipv4 = arraydistinct(arrayconcat(arrayfilter(split(check_initiatedBy_ipAddress_v4, ", "), is_ipv4("@element")), arrayfilter(arraycreate(check_parsed_fields_ipaddr_v4), is_ipv4("@element"))))
+| alter
+  xdm.source.host.ipv4_addresses = source_ipv4,
   xdm.source.host.ipv6_addresses = arraycreate(check_parsed_fields_ipaddr_v6, check_initiatedBy_ipAddress_v6),
-  xdm.source.host.ipv4_public_addresses = arrayfilter(arraycreate(check_parsed_fields_ipaddr_v4, check_initiatedBy_ipAddress_v4), 
-                                            not incidr("@element", "10.0.0.0/8") 
-                                            and not incidr("@element", "172.16.0.0/12") 
-                                            and not incidr("@element", "192.168.0.0/16") 
-                                            and not incidr("@element", "127.0.0.0/8") 
-                                            and not incidr("@element", "169.254.0.0/16") 
-                                            and not incidr("@element", "100.64.0.0/10")),
+  xdm.source.host.ipv4_public_addresses = arrayfilter(source_ipv4, 
+        not incidr("@element", "10.0.0.0/8") 
+        and not incidr("@element", "172.16.0.0/12") 
+        and not incidr("@element", "192.168.0.0/16") 
+        and not incidr("@element", "127.0.0.0/8") 
+        and not incidr("@element", "169.254.0.0/16") 
+        and not incidr("@element", "100.64.0.0/10")),
   xdm.event.id = id,
   xdm.event.outcome = if(result = "success", XDM_CONST.OUTCOME_SUCCESS, result = "failure", XDM_CONST.OUTCOME_FAILED, result = "unknownFutureValue", XDM_CONST.OUTCOME_UNKNOWN, result = "timeout", XDM_CONST.OUTCOME_PARTIAL),
   xdm.event.original_event_type = category,
diff --git a/Packs/MicrosoftEntraID/ReleaseNotes/1_0_22.md b/Packs/MicrosoftEntraID/ReleaseNotes/1_0_22.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Microsoft Entra ID Modeling Rule
+
+- Updated the Microsoft Entra ID Modeling Rule to enhance IP address validation and improve xdm.source.host.ipv4_addresses, xdm.source.host.ipv4_public_addresses fields mapping.
diff --git a/Packs/MicrosoftEntraID/pack_metadata.json b/Packs/MicrosoftEntraID/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Logs",
     "description": "Normalizes various Azure logs to the Cortex Data Model (XDM) schema, including Azure Entra ID events ingested via the Office 365 data source and Azure logs ingested via the Azure Event Hub data source.",
     "support": "xsoar",
-    "currentVersion": "1.0.21",
+    "currentVersion": "1.0.22",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
